Problem Overview:
When I attempted to connect to a virtual desktop (VD) using Window’s Remote Desktop (RD) Connection application from an external network, I encountered a certificate subject mismatch error.
“Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address requested and the certificate subject name do not match. Contact your network administrator for assistance.”
Is there a way to get RD Gateway to just avoid certificate authentication in general? (for Windows Server 2012)? If not, below is a more detailed description of the problem (I think it said somewhere “RDS requires certificates for server authentication”).
Network Setup:
Below is a simplified version of my setup.
- Domain Info:
- ~Internal Domain Name: misoit.edu
- ~External Domain Name (from JustHost): outside.net
- ~“outside.net” (from JustHost) is configured to re-direct itself to http://10.10.10.2
- Router Info:
- ~Gateway Router External IP Address (from ISP): 10.10.10.2 [fake]
- ~Router forwards port 3389, 443, and 80 to internal server.
- Server and Client Info:
- ~Same server has the RD services installed(RD Web Access, RD Gateway, RD Virtualization Host).
- ~Same server hosts the VDs.
- ~Server hostname: vd-host
- ~Virtual Desktop (VD) name: Win8VD-0 (I picked one out of a couple).
Background:
I’m currently setting up a VDI environment and have forgone the option of accessing the VDs using a web browser, for I believe the web service did not configure the .rdp files correctly.
Error Re-creation Steps:
Step1: When I first installed RD gateway, I made self-signed certificates using “outside.net” and applied it to all RD services.
Step2: I imported the created certificate, via USB flash drive, to the external client and made sure it got inserted into the “Trusted Root Certification Authorities”.
Step 3: I attempted to use RD Connection in two ways. The first way inserts “outside.net” as the “Server name:” and the second way inserts “10.10.10.2” as the “Server name:” so I essentially tried connecting twice, but changing just one field each time. Both attempts ended up with the error. So visually, when I load RD Connection app, the fields would be
Under General tab
- Computer: Win8VD-0 (Virtual Desktop Name)
- User name: misoitedu\mis.student (Domain\Domain User Name)
Under Advanced tab in Settings
- Server name: outside.net [I used 10.10.10.2 for the second attempt]
- “Bypass RD Gateway server for local addresses” is checked.
- “Use my RD Gateway credentials for the remote computer” is checked.
Step 4: When I clicked connect, a window asks me for the password so I entered it. I also noticed some details on the same window.
“These credentials will be used to connect to the following computers:
1.) Outside.net (RD Gateway server) [10.10.10.2 was shown for the second attempt]
2.) Win8VD-0 (remote computer)”
I continued and it tries to connect “Initiating remote connection…” but the error I mentioned at the beginning of this post pops up each time I connected with the different field. When I clicked on the “View certificate…” which was on the error window, I noticed each attempt has different certificate information. If I use “outside.net” then I see the certificate info
- Issued to: *.JustHost.com
- Issued by: PositiveSSL CA
If I use “10.10.10.2” then I believe I see the certificated I imported.
- Issued to: outside.net
- Issued by: outside.net
Deduction:
I could be wrong, but I’m thinking when I used “outside.net” the external client was using the wrong certificate (not the one I imported). When I used “10.10.10.2” it used the right certificate, but maybe putting an actual IP address in the “Server name:” section threw it off? I was also thinking about using a different FQDN like vd-host.outside.net or Win8VD-0.outside.net but I think I'm getting a bit wild here.
Question:
So, how would I make the external client used the certificate I imported when I use “outside.net” to connect? If I’m way off in my deduction then where should I begin to troubleshoot?